Original article: https://www.blackhat.com/us-23/briefings/schedule/index.html#route-to-bugs-analyzing-the-security-of-bgp-message-parsing-32162
This talk discusses an often-overlooked aspect of Border Gateway Protocol (BGP) security: vulnerabilities in its software implementations. More specifically, vulnerabilities in BGP message parsing.
Software suites implementing BGP are nowadays relied upon for Internet routing and for functions such as internal routing in most large data centers as well as MPLS L3 VPNs. Following the Network Function Disaggregation (NFD) trend, many leading implementations are nowadays open source.
A lot of (deserved) attention is given in the community to aspects of BGP protocol security discussed in RFC4272, which can be mitigated with the use of RPKI and BGPsec. However, recent BGP incidents show that it might take only a malformed packet to cause a large disruption.
We will present a quantitative analysis of previously known vulnerabilities in both open and closed-source popular BGP implementations and focus the talk on an extensive new analysis of seven modern implementations. There are two main findings in this research:
• Some implementations process parts of OPEN messages (e.g., decapsulating optional parameters), before validating the BGP ID and ASN fields of the originating router. This means that only TCP spoofing (instead of a complete takeover of a configured peer) is required to inject malformed packets.
• We found three new vulnerabilities in a leading open-source implementation, FRRouting, which could be exploited to achieve denial of service on vulnerable BGP peers, thus dropping all BGP sessions and routing tables and rendering the peer unresponsive. These vulnerabilities were found using a fuzzer we developed and will release to the community.
Our research shows that many modern BGP implementations still have low hanging fruit that can still be abused by attackers.